Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.28 Backports 2024-06-01 #786

Merged
merged 8 commits into from
Jun 4, 2024
Merged

v1.28 Backports 2024-06-01 #786

merged 8 commits into from
Jun 4, 2024

Conversation

sayboras
Copy link
Member

@sayboras sayboras commented Jun 1, 2024
edited by jrajahalme
Loading

@jrajahalme @sayboras
bpf_metadata: Use original source address even if the destination is …
8a80696 
…external

[ upstream commit 7358b64 ]

Use the original source address if permitted even if the destination is
external to the cluster.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@jrajahalme @sayboras
Author: Jarno Rajahalme <jarno@isovalent.com>
162e840 
Date:   2024-05-31 16:38:45 +0200

[ upstream commit 1de461c ]

Author: Jarno Rajahalme <jarno@isovalent.com>
Date:   2024-05-31 16:32:26 +0200

bpf: Allow reopening a map

close any possible existing map before opening a new one. This allows
Open() to be called again to reopen the map.

Store the path passed to open() for later re-try during lookup(), it the
open failed.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras requested a review from jrajahalme June 1, 2024 11:41
@jrajahalme @sayboras
ipcache: Move singleton management to ipcache
ffef715 
[ upstream commit 0c89a4a ]

Move ipcache singleton management from bpf_metadata.cc to ipcache.cc so
that the sigleton can be accessed without going through
bpf_metadata. This avoids Bazel import cycle in following commits.

Add a new static methods to ipcache to create and get the singleton.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@sayboras sayboras force-pushed the pr/v1.28-backport-2024-06-01-09-39 branch 2 times, most recently from 337be4f to 421f938 Compare June 1, 2024 12:47
@sayboras sayboras marked this pull request as ready for review June 1, 2024 13:33
@sayboras sayboras requested a review from a team as a code owner June 1, 2024 13:33
sayboras added a commit to sayboras/cilium that referenced this pull request Jun 4, 2024
@sayboras
envoy: Bump envoy version for a couple of fixes
38a691f 
Relates: cilium/proxy#786
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras mentioned this pull request Jun 4, 2024
Closed
jrajahalme
jrajahalme requested changes Jun 4, 2024
View reviewed changes
Copy link
Member

@jrajahalme jrajahalme left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small cleanup I'd like to see on the 4th commit.

Also will have to be careful to combine the related cilium/cilium changes when bumping releases to this new image!

cilium/network_policy.cc Outdated Show resolved Hide resolved
cilium/network_policy.cc Outdated Show resolved Hide resolved
@sayboras sayboras force-pushed the pr/v1.28-backport-2024-06-01-09-39 branch from 56d12b2 to 3d0efc0 Compare June 4, 2024 06:49
jrajahalme
jrajahalme reviewed Jun 4, 2024
View reviewed changes
cilium/network_policy.cc Outdated Show resolved Hide resolved
jrajahalme and others added 5 commits June 4, 2024 17:22
@jrajahalme @sayboras
network_policy: Store server factory context in a member
bd74000 
[ upstream commit 669610f ]

Make server factory context available by storing it in a member.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme @sayboras
grpc: Add a GrpcMuxImpl wrapper
3ae2186 
[ upstream commit 02047ea ]

Add GrpcMuxImpl wrapper class to get access to onStreamEstablished(), and
implement isNewStream() that returns 'true' on the first call after a new
stream has been established.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@jrajahalme @sayboras
network_policy: Reopen ipcache after new stream
0959abe 
[ upstream commit c9e6d84 ]

Reopen ipcache map each time after a new gRPC stream has been established
for Network Policy Discovery Service. This is necessary to get access to
the new IP Cache map Cilium Agent creates on restart.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras
gomod: Bump indirect dep x/net version to v0.23.0
4186fa1 
[upstream commit]

This is to fix the below CVE.

```
ADVISORY             SEVERITY  PACKAGE           CURRENT VERSION  FIXED IN VERSION
GHSA-4v7x-pqxf-cx7m  Medium    golang.org/x/net  v0.21.0          0.23.0
GO-2024-2687         Unknown   golang.org/x/net  v0.21.0          0.23.0
```

Signed-off-by: Tam Mach <tam.mach@cilium.io>
@jrajahalme @sayboras
envoy: Patch original_dst_cluster
f16f489 
[upstream commit d34c0d3]

Patch original destination cluster to avoid multiple hosts for the same
address.

Connection pool containers use HostSharedPtr as map keys, rather than the
address of the host. This leads to multiple connections when there are
multiple Host instances for the same address. This is breaking use of the
original source address and port for upstream connections since only one
such connection can exist at any one time.

Original destination cluster implementation creates such duplicate Host
instances when two worker threads are racing to create a Host for the
same destination at the same time.

Fix this by keeping a separate 'updates_map' where each worker places a
newly created Host for the original destination. This map is used to look
for the Host is it can not be found from the shared read-only
'host_map'. Access to 'updates_map' is syncronized so that it can be
safely shared by the worker threads. The main threads consolidates the
updates from the 'updates_map' to a new instance of the shared, read-only
hosts map, so that the workers do not need to stall for possibly large
map updates.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@sayboras sayboras force-pushed the pr/v1.28-backport-2024-06-01-09-39 branch from 3d0efc0 to f16f489 Compare June 4, 2024 07:22
@sayboras sayboras requested a review from jrajahalme June 4, 2024 07:29
jrajahalme
jrajahalme approved these changes Jun 4, 2024
View reviewed changes
Copy link
Member

@jrajahalme jrajahalme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks!

@jrajahalme jrajahalme merged commit dcdcc72 into v1.28 Jun 4, 2024
5 checks passed
@jrajahalme jrajahalme deleted the pr/v1.28-backport-2024-06-01-09-39 branch June 4, 2024 07:41
sayboras added a commit to cilium/cilium that referenced this pull request Jun 5, 2024
@sayboras
envoy: Bump envoy version to v1.28.4
a7249dd 
This commit is to bump envoy version to v1.28.4 for below CVEs:

- [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c)

Additionally, this build also includes a couple of Cilium fixes, more
details can be found in #786.

Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4
Relates: cilium/proxy#786

Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras mentioned this pull request Jun 5, 2024
Merged
sayboras added a commit to cilium/cilium that referenced this pull request Jun 5, 2024
@sayboras
envoy: Bump envoy version to v1.28.4
4945b42 
This commit is to bump envoy version to v1.28.4 for below CVEs:

- [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c)

Additionally, this build also includes a couple of Cilium fixes, more
details can be found in #786.

Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4
Relates: cilium/proxy#786

Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras mentioned this pull request Jun 5, 2024
Merged
sayboras added a commit to cilium/cilium that referenced this pull request Jun 5, 2024
@sayboras
envoy: Bump envoy version to v1.28.4
9f67245 
This commit is to bump envoy version to v1.28.4 for below CVEs:

- [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c)

Additionally, this build also includes a couple of Cilium fixes, more
details can be found in #786.

Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4
Relates: cilium/proxy#786

Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras mentioned this pull request Jun 5, 2024
Merged
qmonnet pushed a commit to cilium/cilium that referenced this pull request Jun 5, 2024
@sayboras @qmonnet
envoy: Bump envoy version to v1.28.4
5710a4f 
This commit is to bump envoy version to v1.28.4 for below CVEs:

- [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c)

Additionally, this build also includes a couple of Cilium fixes, more
details can be found in #786.

Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4
Relates: cilium/proxy#786

Signed-off-by: Tam Mach <tam.mach@cilium.io>
qmonnet pushed a commit to cilium/cilium that referenced this pull request Jun 5, 2024
@sayboras @qmonnet
envoy: Bump envoy version to v1.28.4
a0f36b0 
This commit is to bump envoy version to v1.28.4 for below CVEs:

- [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c)

Additionally, this build also includes a couple of Cilium fixes, more
details can be found in #786.

Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4
Relates: cilium/proxy#786

Signed-off-by: Tam Mach <tam.mach@cilium.io>
michi-covalent pushed a commit to cilium/cilium that referenced this pull request Jun 5, 2024
@sayboras @michi-covalent
envoy: Bump envoy version to v1.28.4
f995bb0 
This commit is to bump envoy version to v1.28.4 for below CVEs:

- [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c)

Additionally, this build also includes a couple of Cilium fixes, more
details can be found in #786.

Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4
Relates: cilium/proxy#786

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrajahalme jrajahalme jrajahalme approved these changes

Assignees
No one assigned
Labels
backport/1.28 kind/backports
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sayboras @jrajahalme